As a final update to this thread: Dan Bernstein acknowledged this bug
as a security hole in djbdns and recommends that users install my
patch. A copy of his post is available at
http://marc.info/?l=djbdns&m=123613000920446&w=2.